Android Apps, Apps, News

Trojan BankBot in the Google Playstore

Trojan BankBot in the Google Playstore
About Author
Christian Boas

The European security software vendor ESET has disappeared an old acquaintance in the Google Play store: the Trojan, named “BankBot”, fell into the hands of the researchers for the first time in early 2017. Now he has clammily found his way back to the Google Play Store. Disguised as a game “Jewels Star Classic” by the developer “GameDevTony”, the banking malware crept into the Android App store. As so often, the developers of the malware also used names of well-known games like Jewels Star. The fraudulent app was downloaded over 5,000 times before being removed from the Google Play Store by ESET.

Mobiler Trojaner BankBot (Bild: ESET)Mobiler Trojaner BankBot (Bild: ESET)Mobiler Trojaner BankBot (Bild: ESET)Mobiler Trojaner BankBot (Bild: ESET)Mobiler Trojaner BankBot (Bild: ESET)

Mobiler Trojaner BankBot (Bild: ESET)Mobiler Trojaner BankBot (Bild: ESET)Mobiler Trojaner BankBot (Bild: ESET)Mobiler Trojaner BankBot (Bild: ESET)

Continuous development
BankBot has evolved over time and has appeared in various versions inside and outside of Google Play. The current version is the first to successfully combine various elements of the BankBot development: improved code obfuscation, a sophisticated dropping function, and a sophisticated infection mechanism that deletes the accessibility capabilities of the device. These features have been exploited in the past by various trojans, mostly outside of Google Play.

Objective: Credit card information
If the unsuspecting Android user downloads the app, he gets a full-featured game, but with some hidden extras: the payload of the banking malware as well as a faulty service hidden within the game are executed 20 minutes after the first launch. The infected device now displays a message to the user asking them to enable something called “Google Service”. This message appears regardless of what the user is currently using with the device and without a recognizable connection to the game.

To hide it, the user has no choice but to click on “OK”. Subsequently, it is forwarded to the Android menu. Between some legitimate services is now synonymous of the malware “Google Service” listed. Clicking on the original usage conditions of Google. Once the services are activated, the malware starts to read the credit card information of their victim.

Good camouflage
The fraudsters have combined a whole host of techniques in this campaign, which are becoming increasingly popular among Android malware authors. They make it difficult for the victims to recognize the threat in time. Because the Trojans are camouflaged as Google and are waiting for 20 minutes before the attack starts, it is more difficult for those affected to link these activities to the recently downloaded app.

Android users affected by BankBot can manually clean their device by first disabling the device administration rights for “Systemupdates”, and then uninstalling both “Google Update” and the affected app.

To Top